CVE-2025-25012: 
Kibana vulnerability analysis and mitigation

A security vulnerability identified as CVE-2025-25012 was discovered in Kibana, affecting versions up to and including 7.17.28, 8.0.0 up to 8.17.7, 8.18.0 up to 8.18.2, and 9.0.0 up to 9.0.2. The vulnerability is classified as an Open Redirect flaw that could allow attackers to redirect users to arbitrary sites and perform server-side request forgery through specially crafted URLs (Elastic Discussion).

The vulnerability is an URL redirection to an untrusted site (Open Redirect) that affects Kibana installations making use of Short URLs within the Discover, Dashboard, and Visualization Library features. The severity is rated as Medium with a CVSS v3.1 score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) (Elastic Discussion).

The vulnerability can lead to users being redirected to malicious websites and potential server-side request forgery attacks. This affects organizations using Kibana's Short URL features in their Discover, Dashboard, and Visualization Library components (Elastic Discussion).

Elastic has released patched versions 7.17.29, 8.17.8, 8.18.3, and 9.0.3 to address this vulnerability. For users unable to upgrade, administrators should restrict access to Kibana features that grant the ability to generate Short URLs. Organizations with Gold, Platinum, or Enterprise licenses can use sub-feature privileges to restrict short-url creation while maintaining read/write access to other features (Elastic Discussion).